Thursday, 28 August 2014

A vital
susceptibility found in a WordPress plug-in that has been downloaded 1.7
million times enables potential attackers to take absolute control of blogs
that utilize it.

The fault is
placed in the MailPoet Newsletters plug-in, formerly known as wysija-newsletters,
and was noticed by researchers from Web security firm Sucuri.

“This bug should
be taken seriously; it gives a potential intruder the power to do anything he
wants on his victim’s website,” Daniel Cid, Sucuri’s chief technology officer,
said in a blog post Tuesday. “It allows for any PHP file to be uploaded. This
can allow an attacker to use your website for phishing lures, sending SPAM,
hosting malware, infecting other customers (on a shared server), and so on!”

The vulnerability
was patched in MailPoet version 2.6.7, announced on July 2nd, 2014, so all
WordPress blog administrators must improve the plug-in to the latest version as
soon as possible if they make use of it.

The fault was the outcome
of the MailPoet developers mistakenly presuming that the “admin_init” hook in
WordPress is only triggered when an administrator visits pages from the
administration panel, Cid said.

The MailPoet
developers employed admin_init to confirm whether the active user is permitted
to upload files, but as this hook is actually also triggered by a page available
to unauthenticated users, the plug-in’s file upload functionality was made obtainable
to almost everyone.

It’s simple to
make this error and all plug-in developers must be careful of this behavior,
Cid said. “If you are a developer, never use admin_init() or is_admin() as an
authentication method.”

WordPress sites
are a continuous target for attackers and those who get compromised are often employed
to host spam pages or nasty content as part of other attacks. Cybercriminals
are running inspections on the Internet on a daily basis to identify WordPress
installations influenced by susceptibilities like the one found in MailPoet.